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A refinement of Shor's Algorithm for determining order is introduced, which determines a 
divisor of the order after any one run of a quantum computer with almost absolute certainty. 
The information garnered from each run is accumulated to determine the order, and for 
any k greater than 1, there is a guaranteed minimum positive probability that the order 
will be dctcrmined after at most k runs. The probability of determination of the order 
after at most k runs exponentially approaches a value negligibly less than one, so that the 
accumulated information determines the order with almost absolute certainty. The probability 
of determining the order after at most two runs is more than 60%, and the probability of 
determining the order after at most four runs is more than 90%. 



1 Introduction 



In quantum computing, there are a few algorithms which can be performed more efficiently than their 
most efhcient known classical counterparts. One such example is Grover's algorithm which improves 
the efficiency of searching an unsorted list to the order of the theoretical limit of efficiency, at a cost of 
0{\/~N), where N is the length of the list (see for example, |ï], Another example is supplied by Shor's 
algorithms for determining order and for determining discrete logarithms, both of which can be performed 
in polynomial time with the aid of both a quantum computer and a classical computer. A consequence 
of the fact that Shor's algorithm determines order in polynomial time is that compositc numbers can 
be factorized in polynomial time. Since Shor's algorithms aid in factorizing composite numbers and in 
solving the discrete logarithm problem, both in polynomial time, then their implementation on a quantum 
computer would challenge the security of many of today's cryptographic algorithms (e.g. RSA, ElGamal, 
DSA, ECC). 



Shor's original algorithm had the property that the number of runs on the quantum computer needed to 
determine the order of x modulo n was O(loglogn). In Knill's modification B, the probability of success 
was improved, but on any single run of the quantum computer, the probability that the value output by 
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the computers would be a divisor of the order may still be significantly less than 1. Knill did, however, 
introduce the concept of accumulating information from various runs of the quantum computer. 

It is the purpose of this paper to refine the algorithm to the point that after any one run on the quantum 
computer, the probability that the value output by the computers is a divisor of the order is negligibly 
less than 1. When this refmement is combined with the accumulation of information, as discussed above, 
the numbcr of required runs on the quantum computer is reduced to O(l) (assuming ideal working of 
the quantum computer, including extra demands on the Quantum Fourier Transform). The refmement 
to the algorithm is introduced in §[|, and it is demonstrated in §[| that the probability of finding the 
required order with not more than k runs on the quantum computer is greater than — 0(n~ e ) in 

the asymptotic limit as n — > oo, where £ is the Riemann zeta function, e is a positive number, and the 
statement / > g — O(h) means that there exists a function F such that / > g — F in the asymptotic 
limit, and F/h is bounded in the same limit. 

The refmement is cffccted by increasing the number of qubits in the first register by a factor of about 
1.5, thus increasing the requirements of space and time on the quantum computer by a constant factor, 
and increasing the aceuracy required in performing the Quantum Fourier Transform on the first register. 

In the modular mètric, which measures distances between elements of Z/çZ is introduced for all q. 
The purpose for introducing the modular mètric is in order to obtaining a proper and invariant concept 
of proximity. 

In §||, Shor's original algorithm is discussed. 

In a refmement of Shor's algorithm is introduced in which each run of the quantum computer deter- 
mines a divisor of the required order with almost absolute certainty, and the number of required runs on 
the quantum computer is O(l). 

In an analysis of the probabilities of the measured value of the first register falling in some specific 
subsets of {0, 1, . . . , q — 1} is given. 

In some facts about continued fractions (which are used in the classical part of the algorithm to 
determine information about the order) are given, with a new result determining sufficient conditions to 
guarantee that the classical part of the algorithm will yield a divisor of the required order. 

In §0, the results of and §^ are united to demonstrate that the refmement guarantees, with probability 
negligibly less than 1 that each run of the quantum yields a divisor of the required order, and the Section 
also specifies sufficient information to determine approximate probabilities for each divisor. 

In §||, an idealized version of the probability distribution is investigated in order to determine the prob- 
ability that the order will be known after at most k runs of the quantum computer. 

In the properties of the idealized probability distribution are modified to the more concrete distribution 
associated with the refmement of Shor's Algorithm. 
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2 Modular Mètrics 



For q £ Z, q > 1, let I q = {0, 1, . . . , q - 1}. 

Theorem 2.1 

For q G Z, q > 1, define p ç : /«j x / g — > Z by 

Pq{x,y) = vcàn{\x-y\,q- \x-y\), (1) 
then is a mètric on I q , and p q [x,y) < | for all x,y £ I q . 
This is proven in Appendix |A|. 

The modular mètric p q is equivalent to a mètric s q on ïj qTL determined by the smallest distancc betwccn 
representatives of the respective cosets: 

s q (x, y) = min{\x - y\ : x £ x, y £ y}, 

for x, y £ ïjqTL. 

The modular mètric gives a distance function on {0, 1, . . . , q — 1} which is invariant under cyclic sym- 
metries, and can be thought of an arc length on a circle around which the elements have been evenly 
spaced. 

3 Shor's Algorithm 



The purpose of the quantum part of Shor's Algorithm is to dctcrmine the order r of x modulo n, where 
< x < n, and x and n are relatively prime, in other words, r is the smallest positive integer such that 
x r = 1 mod n (note that < r < n). In Shor's paper, this was achieved in the following manner. 



1. The state vector of the system is set to an initial state of 

9-1 
1* a: n 



1 



where q is an appropriate power of 2 (the first register is composed of l qubits, where q — 2 l ). In 
Shor's paper, q is taken to be that unique power of 2 such that n 2 < q < 2n 2 . The state vector \ipo) 
arises from the state \<po) = |Q) <8> |0) by taking a quantum Fourier transform on the first register, 
or alternatively by applying a gate of H® 1 to the first register (so H is applied individually to each 
qubit), where H is the Hadamard gate. 
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2. The next step is to perform a modular exponcntiation, so that |^o) is mapped to 



1 9-1 

\ipi) = — ^ \a) ® \x a mod 

^ a=0 

r-1 L^J 



1 L 

— V" X! \br + k) (g> \x br+k mod n) 
? 2 i- = n íi=n 



k=0 b=0 
1 r-1 L^J 

= — S~] y~] \br + k) (g) \x k mod n) , 

I 2 fe=0 b=0 

where for real y, [y\ is the greatest integer less than or equal to y. The final equality follows from 
the fact that r is the order of x modulo n. 

3. The next step is to take the quantum Fourier transform on the first register, so that the state 
becomes 

1 \ ^ \ ^ / Zmac 



1 c=0 a=0 



\tp 2 ) = - V" cxp í j |c) (g) \x a mod n) 



I <j- 1 - fc I 

1? -ir-iL r J / 2ni(br + k)c\ 

^ exp í — \ \c) (3 \x k mod n) 



1 c=0 fc=0 6=0 



4. The final step is to measure the value c of the first register. The value of c is then input into 
a classical computer (which already has vàlues for q and n), and a value for the fraction d'/r' 
satisfying the following conditions is found: 



d'/r' is in lowest terms (d' and r' have no common factors); 



• < d'/r' < 1; 



• < r' < n; 

• d'/r' is the nearest fraction to c/q which satisfies the other three conditions. 
This is done with the use of continued fractions. 



Shor noted that the probability that c (c G Z, < c < q) is some given value which varies from an 
integral múltiple of £ by at most | (this is equivalent to equation (5.11) of Shor's paper Q), and that 
the value of the second register is x k mod n for some given k, is greater than -^j. This observation can 
be formally expressed as follows: let X be the random variable denoting the result of the measurement 
of the first register, and let Y be the random variable denoting the result of a measurement of the second 
register, then for any given d = 0, l,...,r — 1 and fc = 0, 1, . . . , r — 1, 



i nod n ) > -—7 . 



It follows that the probability that c is the value as given above is greater than , and so the probability 
that there exists an integer d such that < d < r, d is relatively prime to r (d and r have no common 
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factor), and c differs from — by at most i, is greater than </>(r)/(3r), where <j> is Euler's totient function. 
defined by 



0( r ) — ^{d G Z : < d < r, d and r are relatively primc}. 



A formula for <fi is given by 



4>(r) 



= r 



p prime, p\r 




P 



1 



) 



The requirement that d and r be relatively prime comes from the fact that the only information about 
d/r that can be be derived from c is its expression in lowest terms (no common factor for numerator 
and denominator), so that in order for the denominator to be the order of x, d and r can have no 
common factors. Shor used the theorem that <f>(r)/r > <5i/loglogr for some Si to yield the result that 
the probability above is greater than 8/ loglogr, for some 5, so that the number of trials required on the 
quantum computer is O(loglogn). 



4 Refinement of Shor's Algorithm 

The refinement of Shor's Algorithm to be introduced in this paper incorporates a modification of the 
valuc of the parameter q, and an aceumulation of information in a similar manner to that suggested by 



Take a positive real number e, and let w = n e . Under the refinement, the algorithm for determining r is 
as follows. All steps except step 2 are performed on a classical computer. 

1. Set s := 1 and q > 2wn 3 (e.g. set q to be that unique power of 2 such that 2wn 3 < q < 4wn 3 ); 

2. Perform the quantum algorithm on the quantum computer with q as specified in Step 1, and measure 
the value c of the first register; 

3. Determine the continued fraction expansion for ~; 

4. Determine all denominators of convergents of the continued fraction expansion up to the first 
denominator greater than or equal to n; 

5. Let r' be the last denominator less than n, and set s := lcm(s, r'); 

6. Calculate x s mod n; 

7. If x s 1 mod n, then go to Step 2; 



Note that the algorithm aceumulates the information garnered from each measurement of c. Note also that 
only the denominators of the convergents are calculated. There is no need to calculate their numerators. 



Knill |. 
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Output s. 
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For the size of n that would be typically used in RSA encryption, the algorithm above determines the 
order r with probability negligibly less than one (the probability of determining a nontrivial múltiple of 
r instead of the correct value is 0(n -1 )). The probability that the correct value of r will be found after 
at most 2 runs of the quantum computer is at least 60%, the probability after at most 4 runs is at least 
90%, the probability after at most 6 runs is at least 98%, and the probability after at most 8 runs is at 
least 99.5%. 

The rest of the paper is devoted to analysing the above algorithm in order to demonstrate the properties 
claimed for it. 



5 Probabilities of specified vàlues for the first register 

The essential feature of the profile of probabilities of the measured value c of the first register is that when 
q r, then the probability concentrates in the vicinities of where d is an integer with a probability of 
about - in each vicinity. Further, if =2 is an integer, then the full probability of - effectively concentrates 
itself at c = =2, and if ^ is not an integer, then the probability of c in the vicinity of =^ is essentially 
inversely proportional to (c — ^r) 2 . It follows that for ç> r, the only dependence that the probability 
profile in the vicinity of ^ has on q is on the fractional part of ^? (i.e. the full set of profiles is 
determined completely by the fractional part of £). This means qualitatively that as q increases, the 
concentrated areas of probability recede from each other, but the individual profiles do not "spread" . 
These observations are made more rigourous in this Section. 

All results presented in section without proof will be proven in Appendix |b|. 

Since Shor's Algorithm relies on measuring the value in the first register, and then entering the result of 
the measurement into the classical computer, then it is useful to have information about the probability 
distribution for the vàlues taken by the first register in order to determine the probabilities of various 
outputs of the classical computer. 

The parameter q will now be taken to be an arbitrary positive integer, and a measurement of the first 
register will be taken when the computer is in the state 



Note that \ip2) is the final form of the state vector before measurement in the quantum algorithm in 
Shor's algorithm. The parameter q is generally taken to be a power of 2 as a result of the requirement of 
the usage of qubits in the quantum algorithms for addition, multiplication and modular exponentiation. 
Modification to qudits (with a highcr number of levels) of the algorithms for addition, multiplication and 
modular exponentiation will allow for a wider range of vàlues for q. Also, q is typically taken to be larger 
than n, although the results below are true for all possible vàlues of q. 

Let X be the random variable describing the result of the measurement of the first register in the final 
step of the algorithm on the quantum computer, then X must take the value of an integer between and 




G 



q — 1, inclusive, and for < c < q — 1, the probability that X = c is given by P(X = c) = (xc|Xc), whcrc 



r _ 1 [g-i-fc j 

IXc) = -V V cxp ( 2?r ^ br + fc ^ C ) |x fc mod n) , 
«to to V 9 



and so, since ^ x fe mod n for k and fc' such that < k < r, < k' < r and fc ^ k! , then 



P(X = c) 



1 r_1 
y k=0 



1 r_1 

^ E 

H fc=0 
r-1 

= 



I g-l-fc j 



E exp 

b=o v 



/ 2m(br + k)c 



i g-i-fc i 

E( 2nibcr\ 



fc=0 



E/ 2Tribcr\ 
6=0 \ y / 



where the last equality is obtained by substituting r — 1 — k for k. 



lïfEZ, then 



exp 



' 2iricr\ 



V 9 



so that 



y fc=0 

1 r_1 

^2 E 



fc=0 



|_a±fcj_i 

E i 

6=0 



(2) 



On the other hand, if y ^ Z, then 



^ = c ) = íe 

y fe=0 



/ 2iribcr\ 



CXP {— ) 

6=o \ y / 
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The second equality above follows from the evaluation of the geomètric progression 



L4M-i 

Yl exp 

6=0 



cxp(» 


q+k 
r 


)-> 


exp (2222:) - 


- 1 



Much, if not all, of this is already known (e.g. page 17 of ||). 
If 2 6 Z, trien 



I £1 1= 7 
P(X = c)= i r ' 9 ' 

1 0, otherwise, 



so that c is guaranteed to be a múltiple of Since c = for some integer < d < r, then c/q is 
guaranteed to be equal to d/r for some < d < r, and all vàlues of d occur with equal probability 1/r. 



5.1 The Case That q/r is not an Integer 

The case where ^ ^ Z is more difficult. 
In the case that 1 < q < r, then 

P{X = c)= l -, 

q 

for all c, so that all possible vàlues of the first register occur with equal probability, and so no uscful 
information can be obtained, as the behaviour is independent of r > q. 

Since no useful information can be obtained if q < r, then from now it will be assumed that q > r. 
If f e Z, then 

1 -- 2 - + ^<P(X = c)< 1 -+ 2 - + ^. (4) 
r q q r q q z 



Note that P(X = c) = - + O(-). If q is much larger than r, then it follows that P(X = c) is very close 

to i. 

r 

Suppose y ^ Z, then 



P(X = c) < 



q 2 sin 2 2^ 



(5) 



This gives an upper bound for P(X — c), and demonstrates that as the distance between c and the nearest 
integral múltiple of £ increases, the maximum possible probability that X — c decreases. Specifically, 
the measured value of the first register is more likely to be in the neighbourhood of some múltiple of ^ 
than it is not to be in any such neighbourhood. 



Suppose that c = ^ + A, where del and < |A| < so that 



P(X = c) < 



in 2 (vrd + sf^j 



q 2 sui 



2 oir, 2 làL' 



q* sui 



by straightforward substitution for c in 
If & € Z, so that A e Z, then 



P(X = c)< 



(6) 



Since P(X = c) = 0(-^), then for q much larger than r, P(X = c) is approximately equal to zero. 
If & <£ Z, so that A (f. Z, then 



P(X = c) < 



sm 



2 7rd 



1 - 



6q 2 



7r 2 A 2 r 



irdq 



n\A\q 




(7) 



Further, if I Al < -i- 1 sin ^1, then 



P(X = c) > 



sm 



2 Trdç 2 



Trdq 



7r 2 A 2 r 7r| A|g 



(8) 
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It follows that 



Sin 2 ^ /j\ 

P <* = c > = ^ +0 U)> 

so that if q is much larger than r, then 
sin 2 ^2 

and so P(X — c) is inversely proportional to (c— ^r) 2 in the asymptotic limit. Note that the asymptotic 
profile is dependent only on the fractional part of and not on the size of q. 



5.2 Probabilities for Certain Subsets 

Since the fraction which interests us, as far as determining the order is concerned, is not ~ (where c is 
the measured value of the first register), but then the probability that | falls in the proximity of ^ 
is important, and the probability that - falls within a certain distance of ^ (or, equivalently, that c falls 
within a certain distance of — ), will be determined for a certain range of distances. 

If ^ G Z, then 

r 1 

1 2 r ( ( dq\ q\ 1 3 r 

+ -<^P p ? U,- <f <- + - + -, (9) 

r q q \ \ r J Zr / r q ç z 

where p q is the modular mètric (Q). Note that P(p q (X, ^) < ^) = i + O(-). If g is much larger than 
r, then it follows that P(p q (X, < ^) is very close to i. 

The value of the parameter q will now be restricted so that q > 2r. 

From now, for c € {0, 1, . . . , q — 1}, d c and A c will be uniquely determined by the following conditions: 

1. d c G {0,1,..., r}; 

2. C= £k2 + Ac ; 

Por < u < §p - 1, 

P(\A X \ >u+l) < ( 10 ) 
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This determines a hard upper bound independent of q for the probability that the distance between the 
measured value of the first register and the nearest múltiple of - exceeds any given value greater than 
1 but no greater than and demonstrates that the measured value of the first register will tend to 
be close to a múltiple of ^. Specifically, for any large fixed distance, the probability that the difference 
between the measured value of the first register and the nearest múltiple of £ exceeds this distance is 
small, independent of the size of q. 

Let u now be fixed subject to < « < £ — 1. 
K^eZ, then 



< u + 1 < 



2 (2u + 3)r 



(11) 



If ^2 ^ Z, then it follows from the bounds already determined on P(X = c) for c such that 



c — 



dq 



< u+l, 



that if 



u < 



nr 



sm ■ 



Tïdq 



- 1, 



then 



< 



< 



x _ d A 



2 

nq \r 
< u + l 



+ ln 



(, _ 7r 2 («+l) 2 r 2 Y 



r 2 (u + 1) 
r - 1 



r(2u+ 1) 



7rg \r — 1 



+ ln 



r 2 (u + l) s 
r- 1 



(12) 



+ 



r(2w + 3) 



Note that if u is large, and if q is much larger than ru, then — f\ < u + 1) is very close to 

The probability that the measured value of the first register will be in the proximity of any specified 
múltiple of ^ has been determined to be very close to i for any given múltiple, and so the probability 
that | (where c is the measured value of the first register) is close to ^ is approximately i for any given 
value of d. 



In summary, for q very large, the nett probability of 1 is equally divided amongst the vicinities of ^ for 
d € Z, with the probability effectively concentrated within vicinities of fixed maximum width, so that as 
q increases, the vicinities recede from each other while maintaining their maximum widths. 
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6 Continued Fractions 



The determination of an appropriate rational number p- from the measured value of c is done on a classical 
computer with the use of continued fractions (see , for example) . In the context of the refinement of 
Shor's Algorithm, we are interested in the width of the vicinity of ^ which will, with certainty, identify 
^ as the correct approximation to | where c is the measured value of the first register. The width is 
linearly dependent on q. 

The definition of a continued fraction is given here, along with some useful properties. 

The definition of continued fractions and most of the consequences, as drawn below, can be found in Q 
and §. 

For integers ao, 01, 02, ... , ajy, where ao > and ü{ > for i = 1, 2, . . . , N, define the continued fraction 
[a ,ai,a 2 , ■ ■ ■ , a N ] by 

[a , «i, a2, . . • , ajy] = a H , 



so that [ao, a±, a 2 , ■ ■ ■ , cln] is a rational number. Alternativcly, a finite continued fraction can be defined 
by induction on the number of terms as follows. For a non-negative integer ao, define [ao] = a , and for 
integers ao, ai, 02, • • ■ , ctjv, as above, define 

[ao, »i, a 2 , . . . , a N ] = a + 



[ai, a 2 , ...,«»] 

For any < k < N, ^ = [ao, a±, . . . , a^.] is called a convergent of the continued fraction expansion. 
If £ = | is rational, then define cii and d by induction on i by 



e, * = 0, 

1 otherwise, if C;-i 7^ Oj-ij 



. 

Çi_i-a,_ 

a>i = LCd j 

terminating when = a.; (í.e. when ^ is an integer). This gives a continued fraction expansion £ = 
[ao, ai, «2> • • • j o<n], where ün > 1. Alternatively, £ = [ao, aj., 02, • • • , — 1,1], yiclding two distinct 
continued fraction expansions for £. It is known that for any rational number £, these two continued 
fraction expansions are the only possible expansions (for irrational numbers, there is exactly one continued 
fraction expansion, which is infinite). 

Define integers and for k > — 1 by induction on k as follows. Let 

1, k=-l, 
p k = { a , k = 0, (13) 

Pk-2 + akPk-i, k>0, 
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r o, k = -i, 

q k = < 1, k = Q, (14) 

[ q k -2 + akQk-i, k > 0, 

then by Standard results from the theory of continued fractions, 

• & = Pk/Qk for fc = 0, 1, 2, . . .; 

• Pk-iÇk -PkQk-i = f° r k = 0, 1,2, . . .; 

• gcd(pfe,Qfe) = 1. 

The first two statements are very easily proved by induction, and the third and fourth statements are 
trivial consequences of the first two. 

It is also well-known that if £ is a positive real number, p and q are positive integers, and |£ — 2| < 
then 2 is a convergent of the continued fraction expansion for £ (see for example, || JtJ). 

It is proven in || that 
Theorem 6.1 

For k > 1, let be the corresponding convergent of the continued fraction expansion for £, so 
that pfc and g/. are defined by ( p^ ) and (|Ï4]), then for < q < qk and p£ Z such that | ^ 

and 





> 




9 




<7fc 



We now come to the principal result that will be of use in analysing the refinement of Shor's Algorithm, 
since it gives a sufficient condition on c (the result of measuring the first register) that will guarantee that 
the nearest fraction to | with denominator less than n is ^ for some integer d, and that ^ is a convergent 
of the continued fraction expansion for |. 

Theorem 6.2 

Suppose r,n G Z and < r < n. For v > 1, let q be an integer greater than or equal to 
2vn 2 . Suppose d £ {0,1, ... ,r} and \c — 22 1 < v. Let d'/r' be the fraction satisfying the following 
conditions: 

• d'/r' is in lowest terms {d' and r' have no common factors); 
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• < d'/r' < 1; 

• < r' < n; 



d'/r' is the nearest fraction to c/q which satisfies the other three conditions. 



Then d'/r' = d/r, and d/r is a convergent of the continued fraction expansion for c/q. Detinc 
Pk and qk for k = 0,1,..., by ([ï^) and (Q), respectively. Let N — maxjfc : q^ < n}, then 
£jv = Pn /qn = d/r, so that d/r is the last convergent of the expansion which has denominator less 
than n. 



Proof: Since |c— ^1 < v, then 



c d 
q r 



„ v 1 1 
~ q ~ 2n 2 2r 2 ' 



so that d/r is a convergent of the continued fraction expansion for c/q. 
Suppose /, s E Z, < s < n, and < / < s. If //s ^ d/r, then 



/ 


d 




fr — ds 


s 


r 




rs 



1 1 

> — > 



so that 





> 


^_Z 




c d 


9 s 




r s 







> 



1 

2^2 



2n 2 



> 



c d 
q r 



so that d/r is the nearest fraction to c/q which satisfies the requisite three conditions. 

Since d/r = d'/r' is a convergent of the continued fraction expansion for c/q, then there exists N such 
that pn — d' and q^ — r' < n. If qN+i < n, then, as a consequence of Theorem 6.1, 



c Pn+i 


< 


c p N 




c d' 














q qn 




q r' 



contradicting the fact that d/r is the nearest fraction to c/q with denominator less than n. It follows 
that qN+i > n, and so d/r is the last convergent of the expansion which has denominator less than n. 

□ 



7 Some Analysis of the Refinement of Shor's algorithm 



Recali the refinement of the Shor's Algorithm as given earlier. All steps except step 2 are performed on 
a classical computer. 
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1. Set s := 1 and q > 2wn 3 (e.g. set q to be that unique power of 2 such that 2wn 3 < q < Awn 3 ); 

2. Perform the quantum algorithm on the quantum computer with q as specified in Step 1, and measure 
the value c of the first register; 

3. Determine the continued fraction expansion for ~; 

4. Determine all denominators of convergents of the continued fraction expansion up to the first 
denominator greater than or equal to n; 

5. Let r' be the last denominator less than n, and set s := lcm(s, r'); 

6. Calculate x s mod n; 

7. If x s ^ 1 mod n, then go to Step 2; 

8. Output s. 

The significant results of the last two sections can be summarised as follows: 

• For q very large, the nett probability of 1 is essentially equally divided amongst vicinities of ^ of 
fixed finite maximum width for d G Z; 

• The width of the vicinity of ^ which will, with certainty, identify - as the correct approximation 
to |, is linearly dependent on q. 

This means that if a large enough value for q is taken, then the vicinity which will, with certainty, identify 
*j as the correct approximation to ^, will encompass the entire vicinity of -j? in which the probability is 
effectively concentrated. This is the raison d'ètre for choosing q with the value as given in the refinement. 

In the refinement of Shor's Algorithm, then 

P(\A X \ >wn) < 2 

ir z (wn — 1) 

as a consequence of (|ï(ï|), so that 

PflAx] < wn) > 1 - 2 , (15) 
Tr z (wn — 1) 

and so if n is large, then P(|Ax| > wn) is very small, and P(|Ax| < wn) is very close to 1. If — 6 Z. 
thenby©, 

< p( Pq ( X ,^)<wn)<l + -^ + -^-j. (16) 



r wn 3 \ \ ' r J ) r wn 3 2wn 4 

This result is proven in Appendix |^ 
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If 



dq 



Z, then, by (ph 



< 



1 



r n 2 (wn — 1) 



< P 



2ÍU 1 



nwn° 



< wn 
1 i 



r 



-ïïwrv' 



1+ln- 



1 + ln ■ 



(17) 



2wn 4 



This result is also proven in Appendix |^. 



It follows that if n is large, as in the case for any practical RSA encryption algorithm, then P(p q (Ax, -p) < 
wn) is close to 1/r for all d. 



For the refinement, the probability that |A C | < wn 
is greater than 1 — -tt^—zt\ by (|Ï5|). By Theorem ^2 



where c is the measured value of the first register, 
if |A C | < wn, then the last convergent of the 



continued fraction expansion for c/q with denominator less than n is necessarily of the form d/r for some 
d € Z such that < d < r, so that, in the refinement, r' necessarily divides r, as this is the convergent 
which is determined by the refinement (or rather, its denominator is determined by the refinement). It 
follows that after each run on the quantum computer, the probability that r' divides r is greater than 
1 



ir' 2 (wn-i) • Since the runs on the quantum computer are, in effect, independent random samples with 
replacement, then the probability that s still divides r after k runs on the quantum computer is greater 
than (1 — 7T ·ï^ n _ 1 -j ) k ■ Specifically, for the size of n that would typically be used in RSA encryption, the 
probability that s will not divide r after k runs on the quantum computer is negligibly small (of the same 
order of maenitude as — ). Since the value of s is almost guaranteed to be a divisor of r after k runs of 
the quantum computer, and x s = 1 mod n iff s is a múltiple of r, then it is almost guaranteed that when 
the refinement terminates, s will be equal to r (s is certainly a múltiple of r on tcrmination, and it is 
almost certain to be a divisor of r). 



This can be expressed formally as follows. Let A/. denote the random variable describing the result of the 
measurement of the first register after the k-th run of the quantum computer, let denote the random 
variable describing the corresponding value of r' calculated by the classical computer, and let Ck be the 
random variable defined by 



C k =lcm(B 1 ,...,B k ), 



so that Ck describes the value of s after k runs of the quantum computer, then, by jÏ5|), 



P(\A Ah \ <wn) > 1 



Tr 2 (wn — 1) ' 



for all k, so that by Theorem |6.2|, 



P(B k \r) > 1 



7r 2 (wn — 1) ' 
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for all k, and so 



P(C k \r)> (l- 2 ) , 

for all k, by the independence of the random variables A k (from which the independence of the random 
variables B k follows). 



8 Some Results in Probability 

It was noted in §[?] that the probability that - is the fraction with denominator less than n which is closest 
to | (where c is the measured value of the first register) is close to ~ (and in fact, it approaches £ in 
the limit as q — *■ oo). The properties of the probability distributions of certain random variables (which 
are anàlogues of important random variables related to the refinement) associated with the idealized 
distribution follow. The purpose here is to get some idea of the probability that the refinement of Shor's 
Algorithm will terminate after at most k runs of the quantum computer and output the required order. 

Let a natural number s have prime factorization 

where J is some index set, pj are distinct primes, and aj > 1 for all j € J. Let Zi, i = 1, 2,3, . . ., denotc 
independent uniformly distributed random variables from the sample space {0, 1, . . . , s — 1}, so that for 
all i, and for all d in the sample space, P{Zi = d) = -. Let Ri be the random variable defrned by 



Ri 



gcà(Zi,sY 



so that Ri are independent random variables, and Ri is the denominator of — , when expressed in lowest 
terms. For k — 1,2,3,..., define the random variable Sk by 

S k = lcm(i?i,iÏ2, . . . 

Note that s is a parameter for the probability distributions of Zi, Ri, and Sk- 

Theorem 8.1 

For all vàlues of the parameter s, 

P(Sk = s) > ' 
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for all k > 2, where £ is the Riemann zeta function defined by 



™— 1 p prime P z 



for 5ï(z) > 1. 



Specifically, 



d/c , 6 3 , 90 9 

P(S 2 = s > — > P(S 4 - s > — > — , 
n z 5 7r 4 10 



so that the probability that S 2 is equal to s is greater than 60%, and the probability that S4 is equal to 
s is greater than 90%. Similar ly, 



945 49 



9450 199 



so that the probability that í>6 is equal to s is greater than 98%, and the probability that Sg is equal to 
s is greater than 99.5%. 



The proof of Theorem 8.1 is given in Appendix [S] 



9 More Analysis of the Refinement of Shor's Algorithm 



As before, let Ak denote the random variable describing the result of the measurement of the first register 
after the fc-th run of the quantum computer, let Bk describe the corresponding value of r' as determined 
by the refinement, and let the random variable CV- be defined by 



C^lcm^!,...,^). 



Further, let the random variable Dk be defined by 



D,,. 



q 



so that Dk describes the nearest integer to where c is the measured value of the first register after 
the fc-th run of the quantum computer. Note that Ak, k — 1, 2, 3, . . ., are independent random variables, 
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and that for c = 0, . . . , q — 1, 



i y^ r_1 I i+ m I ' 

qZ L r J 



P(A k = c) 



1 ^r-l S1 
(T 3 " Z^m— 



i" 2 (^L^J) 



e Z, 



z, 



and as noted previously, for the refinement, 



P(\A Ak \ < wn) > 1- 



■n 2 (wn — 1) ' 



so that 



P(B k \r) > 1 



tt 2 (wti — 1) ' 



by Thcorcm 6.2, and so 



P(Cfc|r) > 1 - 



TT 2 (wn — 1) 



It follows that for any given d, by ([Üt ) and (P~7|) , 



- - < P ( Pq ( A fe , ^ ) < wn ) < 1 ' 



r wn·' 



r 



1 



if 4? S Z, and 



1 



1 



< P 



< 



r TT 2 (wn— 1) nuïn 3 
dq 



n + 1 + ln ■ 



n — 1 



1 



1 I 



r nwn° 



n + 1 + ln ■ 



1 



n — 1 j 2wn 4 



if 4? é z. 



This concludes the summary of what is already known. 
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Note that D k = d if 



p q í .1/. . — ) irn. 



for d = 1, . . . , 9 — 1, and Dfe = or = r if 

pq(Ak, 0) < Wn. 



Given /? 9 (j4fc, -y) < wn, for some c? = 0, 1, . . . , r, thcn D k = d, and 



B k = 



gcd(D k ,r) 
It follows that for all d, 



r 









HO -1 







and 

P (^ Pq (A k) y^j > wn for all dj = O (-^- 

This means that the probability distribution for D k becomes uniform in the asymptotic limit, and the 
results of the last Section become exact in the asymptotic limit. Here, D k plays the same role as Zj, B k 
plays the same role as Ri, and C k plays the same role as S k . This means that the asymptotic limit of 
P{C k — r) as n becomes large should be greater than for k > 2. 



By a similar argument to that used in the proof of Theorem 8.1 (in Appendix for k > 2 and k small 



je.J \ p i / 



(18) 



since w = n e . Finally, since 



1 



n '-?[ > n 

je.J \ / p primc 
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thcn 



P(C k = r) > 



1 



0(n~ £ ), 



C(k) 



where the statement / > g — O(h) means that there exists a function F such that / > g — F in the 
asymptotic limit, and F/h is bounded in the same limit. 



This means that for the size of n that would typically be used in RSA encryption, the probability that 
the correct value for r will be found after at most 2 runs of the quantum computer is at least 60%, and 
the probability that the correct value for r will be found after at most 4 runs of the quantum computer 
is at least 90%, etc. 



10 Conclusion 



There are various advantages and disadvantages to the refinement of Shor's algorithm as detailed in this 
paper. The advantages include the facts that each run of the quantum computer is almost certain to 
evaluate r' as a divisor of r, and that the probability that the actual value of r will be found after at 
most k runs of the quantum computer is greater than l/£(fc), so that the probability is greater than 
60% that no more than 2 runs will be necessary, and greater than 90% that no more than 4 runs will be 
necessary. On the other hand, the quantum computer requires more space and time to run the refinement 
(the space and time requirements are each multiplicd by approximately a constant), and the Quantum 
Fourier Transform requires more delicate rotations of angles (of the order of \, rather than the order 
of -T-, which is all that Shor's original algorithm would require). Also, the number of runs needed by 
Shor's original algorithm is O(loglogn), and loglogn is a very slowly growing function. For a value of 
n = 10 400 , if the logarithms are to base 2, loglogn is between 10 and 11. These are qüestions which will 
have to be investigated in greater detail if the case of which algorithm is preferable is to be decided. 
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The derivation of ( [L8|) is given in 



Appendix [e|. 



A Proof of Theorem gTT] 



Proof: There are three conditions to be checked in order to show that p q is a mètric. 
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1. Note that \x — y\ > for all x,y £ I q . Since < x < q — 1 and < y < q — 1, then |a; — y\ < q — 1, 
and so ç — |a; — y\ > 1 > 0, so that for all x,y £ I q , 

p q {x,y) = mm(\x -y\,q-\x- y\) > 0. 

For all | = 0, so ç — \x — x\ = q, and so p q (x, x) = 0. Conversely, suppose x,y £ I q and 

that p q (x,y) = 0. Since p q (x,y) — min(|a; — y\, q — \x — y\), then either \x — y\ = or q— \x — y\ = 0. 
If \x — y\ = 0, then x = y. If q — \x — y\ = 0, then \x — y\ = q, contradicting \x — y\ < q — 1. 

It follows that p q {x, y) > for all x,y e I qi and that p q (x, y) = iff x = y. 

2. Since \x — y\ = \y — x\, then p q (x,y) = p q (y,x), so that p q is symmetric. 

3. If p q (x, y) = \x- y\ and p q (y, z) = \y-z\, then 

< \x - z\ < \x - y\ + \y - z\ = p q (x,y) + p q (y, z). 

If p q (x,y) = \x-y\ and p g (y,z) = q - \y - z\, then, since 

\y-z\ < \x-y\ + \x-z\, 
it follows that 

Pq(x, z)<q-\x-z\<q+\x-y\-\y-z\= p q (x, y) + p q (y, z). 

Similarly, if p q (x,y) =q-\x-y\ and p q (y,z) = \y - z\, then p q {x,z) < p q {x,y) +p q (y,z). 

If Pq{x,y) =q- \x-y\ and p q (y,z) =q- \y-z\, then q - \x - y\ < \x-y\ and q- \y - z\ < \y-z\, 
so that 2\x — y\ > q and 2\y — z\ > q, and so \x — y\ > § and \y — z\ > |. There are two cases. 

• Casc 1 (0 < y < |): Since \x-y\> |, then y+§<ar<gr-l. Similarly, y+f<^<g-l. 
Since |x — y\ = x — y and |y — z| = z — y, then p q (x,y) = q + y — x > q — x > z — x and 
p q (y, z) = q + y — z > q — z > x — z. It follows that 

p q (x, z) = \x - z\ < p q (x, y) + p q (y, z). 

• Casc 2 (§ < y < q-l): Since \x-y\ > |, then < x < y-f < |. Similarly < z < y-| < §. 
Since \x — y\ = y — x and \y — z\ = y — z, then p q (x,y) = q + x — y > x > x — z and 
p q (y, z) = q + z — y > z > z — x. It follows that 

p q (x, z) = \x - z\ < p q (x, y) + p q (y, z). 
It follows that the Triangle Inequality holds. 



It follows from these three facts that p q is a mètric on I q , to be called the modular mètric. 

Recali that \x — y\ < q — 1 for x, y e I q . If \x — y\ < |, then p q (x,y) < \x — y\ < |. On the other hand, 
if | < \x — y\ < q — 1, then p q (x,y) < q — \x — y\ < |. In either case, p q (x,y) < |. □ 
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B Proof of results presented in §|5] 

The first result to prové is the result that if - € Z, then 



P(X = c) 



i, ^eZ, 

r ' q ' 

0, otherwise. 



In this case, then 



(19) 



for k = 0, . . . , i — 1. If y 6 Z, then substitution of (|ï^) into (||) immediately yields 

P(X = c) = -. 

r 

On the othcr hand, in the case that y ^ Z, then sin( ï | ï: ^) = sin(7rc) = (as c £ Z), so that substitution 
of (|ï^) into (H|) immediately yields 

P(X = c) = 0. 
The next result is that if 1 < q < r, then 



P(X = c) = 



for all c (thus yielding no useful information) . 
In this case, 



q + k 


= { 


r 





0, < k < r - q, 

1, r ~ q < k < r — 1, 



so that 



ppr = c) 



i 



fc=0 



L4^J-i 
E ex P 

6=0 



lixïbcr 

q 
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E 

k—r—q 
r-1 



E eX P 



6=0 



lixïbcr 

q 



= Í E i 1 



k—r — q 



Alternatively, (0) and (||) can be used, and they yield the same result. 

In the case that q > r, then for k — 0, . . . , r — 1, q < q + k < q + r, so that 



Q --l< 

r 



q + k 



< q - + l. 

r 



is now proven as follows. If y € Z, then it follows from (^|) that 



1 ' — 1 2 1 ' — 1 + k 2 1 ' — 1 2 

„2 (r ) ^ ^ o 2 r o 2 ^— vr ) ' 

H k=o y fc=o fc=0 



and so, expanding the squares, 



1 2 r , 1 2 r 

+ — < p(jt = c) < - + - + — . 



r q q- 



r q q- 



On the other hand, if y ^ Z, then it follows from (Q) that 



^ = c ) = ^E 



, in 2 ^<Z±*J) 



< 



i r_1 i 



2 gin 2 zrçr > 
y 3 



thus demonstrating (||). 
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Suppose that c = ^? + A, where (i € Z and < |A| < ^, then (substituting for c in (J|)), 



P(X = c) = 



1 



sin 2 ^7T(i 


r 


i 7rAr£ 
q r 


i_ TrAr / 
9 V 


q+k 

r 


-i)) 






sin 2 ^7rc? -f 


7rAr \ 

—) 







^ sin 2 ^A + ^[gJ-j 



,2 TrAr 



exploiting the periodicity of sin. 
If 2j? € Z, then A e Z, so that 



P(X = c) = 



1 -isin 2 ^A + ^( 



q+k 



')) 



r -! sirr 



sin 



2 TrAr 



In particular, since 
ç + fc 



< 1, 



for all fe = 0, . . . , r - 1, then if < |A| < then 



7rAr 



< 



7rAí 



7T 



and so 



P(X = c) 



r-l sin 



2 / TrAr 



q+fc 



sm 



2 rrAr 



1 r_1 r 

< — E 1 = T > 



that X will difFer from — , for some integer d such that — is also an integer, by at most #■ and by more 



as sin 2 y is a monotonic increasing function on y G [0, -|] , thus yiclding This means that the probability 
that X will differ from for some integer d s 
than 0, is negligible if q is much larger than r. 

If & <£ Z, then A g Z. Since 



1 < 



<* + l, 
r 



25 



for k = 0, . . . , ) — 1, so that 



q + k 



< 1, 



and since | cosy| < 1 for y e M, it follows that 



|sin(7rA)| L - L· < 



ttA 



7rAr 



< | sin(7rA)| 



7r|A|r 

7 

q 



for fc = 0, . . . ,r — 1, thus giving bounds on the square root of the numerator of the summand in 
Since — + A is an integer, then 



|sin(7rA)| = 



sin • 



irdq 



so that 



. ftdq 
sm 

r 



7r|A|r 



< 



'1 



sin 7rA 



7rAr 



< 



. ftdq 
sm 

r 



7r|A|r 



for k = 0, . . . , r — 1. Upon taking the square (so we now have the numerator of the summand), it follows 
that 



sin 7rA 



< 



. ftdq 
sm 

r 



7rAr 



ttIAI 



q + k 



■ïïdq 27r|A|r 



. ftdq 
sm 

r 



ir 2 A 2 r 2 



and that if |A| < ^|sin^|, then 



sin 2 ( 7rA 



> 



■ndq 



7rAr 



ttIAI 



2 7rcíq 27r|A|r 



q + k 



ndq 



ir 2 A 2 r 2 



2G 



and so, substituting into (||), 



P(X = c) < 



< 



2 sin 2 ivAr 
y 9 



sm ■ 



ndq 



n 2^2^ í i _ ?r 2 A 2 r 2 



tt|A|? 



sm 



7r|A|r x 



. 2 TrdQ 27r l A k 



7r 2 A 2 r 1 



ir 2 A 2 r 2 
-6?- 



sm 



2 TTdq 2 



sin^ 



/ 1 7T 2 A 2 r 2 



7r 2 A 2 r tt|A|ç ç 2 



thus yielding (Q), if |A| < -Jp, since 



- /i [1- -y" ) sui // ■ //. 



for y e (0, §]. Similarly, if |A| < £| sin then 



P(X = c) > 



> 



2 aír , 2 nAr 



g z sm 



7T 2 A 2 ? 



sm ■ 



ndq 



tt|A|? 



sm • 



irdq 



7r|A|r 



1 ( . 2 irdq 27r l A l' 



7r 2 A 2 r 1 



sm 



2 7rdç 2 Sin ^ 



7r 2 A 2 r 7r|A|g 



thus yielding (g). 

If £ e Z, thcn by (| and (§), 



1 2 r 

r q q 2 
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where p q is the modular mètric (H), since P(X = c) < 4 for all c such that < p q (c, < £ and 



r j ~ 2r 









.2r- 



It follows that 



1 2 r 

+ — 

r q q z 



< p\p q \x d A< q 



r J 2r 

1 2 r „ o r 
< - + - + - + 2^- 

r q q z Zr q z 

1 2 r 1 

?* q q z q 



r q 



r 

7^2 ' 



this yielding (||). 

The value of the parameter q will now be restricted so that q > 2r. 

We are interested in the probability that the measured value c of the first register will fall inside a specified 
distance from an integral múltiple of £ , so we are also interested in the probability that it will fall outside 
the specified distance. This is the motivation behind the following calculations. 

Since 

P(X = c) < ' 



2 gin 2 zrçr 
y 9 



by (||), if c G Z, < c < g, and — ^ Z, and since sin 2 ?/ is a monotonic increasing function on y e [0, §], 
then the following hold by straightforward substitution. 

• If d G Z, de {0,1,. ..,r- 1}, 1 < C < and & +C G Z, then 



r / 9 • 2 

7 g z sm 
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2 sin 2 ttÇt 
C 



< 



o • 2 7rEr 
C-l q S1H -|- 



the equality following from the fact that d E Z: 

If d G Z, d e {1, . . . ,r}, 1< C < and ^ - C € Z, thcn 

ci<7 



P X = -^-C : 



! sin 2 (ttcZ - 



g 2 sin 2 rrÇr 



< 



c-i g 2 sin 2 ^ 



the equality following from the fact that d G Z. 



If <i G Z, d G {0,1,.. .,r - 1}, 1< 4 < A' < i, and ^ + ^ + A' G Z, then by 



P('^+A<X<^+A' 
r r 



< í 

Ja-i Q 



2 g in 2 içr 

rfq * - 1 



r 2 <r 
— esc ctÇ 



1 

7rg 



cot 



7r£r 



A-l 



1 / 7T(A-1V 

— cot -i — 

ixq \ q 



— cot • 



ttA' 



This gives an upper bound on the probability that X will fall between ^ + A and — + A'. 
Similarly, if d G Z, d G {1, . . . , r}, 1< B < B' < and ^ - B, ^ - B' G Z, thcn 



, ,'dg , do „\ 1 / 7r(B-l)r ttBV 

P ( — - B' < X < — - B ) < — ( cot -i — - cot 

nq 



If dG Z, de {0,1,... ,r- 1}, 1< A< 1< B < f , and ^ + ^ ÍÍ±Ü£ _ s e Z, the lct 



C = 



(2d+ l)g 
2r 



r/q 
r 
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so that C < £ < C + 1, and then, by @ and Q 



p{*+A<X< {d+1)q -B 
r r 



P[^+A<X<^ + C 
r r 



P 



(d+l)q rq 



- + <X < 



(d+l)g 



< — | (Oi 

7rq 



— - cot 



1 / n(B-l)r 



— I cot 

nq 



cot 7T 



tt(C + l)r 



< 



1 

nq 
1 

7TQ 



n(A-l)r n(B-l)r nCr tt(C + l)r 
cot — — + cot — cot h cot —i — 



7rM-l)r n(B-l)r 
cot — — + cot — i — 



since < f < 7r ( c + 1 ) r ; so that cot is positive, and cot 7r ( c + 1 ) r i s negative. Since coty < i for 
< y < f , then it follows that 

P ( * + .4 < x < <A±là _ B ) < 4. (■ 1 + > ) . 

\ r r ) TT 2 r \A- 1 B - 1 / 

Suppose < u < ^ — 1, then it follows that 

/do \ 1 /l 1\ 2 

\ r r / 7r z r \u u ) ir ru 

thus demonstrating (|Ï0|). 

Adopting the same definitions of cí c and A c that were used in §[| then it follows that 

p(\A x \>u + i) = y2p(^ + u+i<x<^±^-u-i)<y / ^- = 4-. 

d=0 v 7 d=0 



Therefore it follows that the probability that the measured value of the first register falls outside a 
specified distance from a múltiple of ^ is bounded above by a quantity which inversely proportional to 
one less than the distance, with no dependence of the upper bound on the size of g, thus making the 
possibility unlikely if the specified distance is large. 

For each value of d, we are interested in the vàlues of 



P [Pg (X, 



dq 



< u + 1 
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Upper and lower bounds can be easily dctcrmincd for 



if ^ e Z, specifically, by (@) and (§), 



1 2 r 
r q q 2 



< 



< 



< P [ Pq [ X, ^ ) < U + 1 



dq 



dq 



p [ x = ^j +p y < Pi\ x ^) < u + 1 

1 2 r . „ . r 

- + - + + 2[u+ IJ^t 
r q q z q z 

1 2 r 2(u + l)r 

— | 1 1 i í- 

r q q A q z 

1 2 (2u + 3)r 

r q q z 



thus leading to (|1 
If ^2 ^ Z, then 



P 



< u + 1 



E p (* = c )> 



_4a |<„+i 



so that, by fe 1 



< E 



< u+ 1 
1 



cÇ2 



(l- £ 

<u + l V 



2 ( M +l) 2 r 2 



6q 2 



Sin 2 ^2 

r 


2 


sin ^ 

r 


r 




2 + 
r 7T 


r 


q I 2 



since | A c | < u + 1 for all c in the sum, and by (|21j 



P 



X- 



<u+l 
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It follows that 



E 



cez, c--=» <«+i 

|c_Í£|< -2.| in 2# 



2 Tuiq 2 sin 



fií/ 



< p 



< 



<u+l 



-, 7r 2 (u+l) 2 r ; 

1 w — 



E 



2 7T(jq 



+ 



sm 



Tïdq 



7r 2 (c-^) 2 r „ 



c — — 



r 

73 



Specifically, if 



u < — 

7T?' 



sin - 



-1, 



(25) 



thcn 



E 

<u + l 



2 7rrfq 



< P 



X 



dq 



<u+l 



< 



f, _ Tr 2 (u+l) 2 r 2 \ ' 
\ l 6q 2 ) 



E 



Trdq 



r 

7/2 



sm 



2 lïdq 



?r 2 (c-^) 2 r ' n 



c- ^ 



r 

7/2 



(26) 



The terms inside the sums on the upper and lower bounds in ( |26] ) will now be investigated, one at a time. 

By the Mittag-Leffler expansion into partial fractions for csc 2 (7rz) from complex analysis (which can be 
found in many books on complex analysis, such as ^ or by differentiating the Mittag-Leffler expansion 
for cot(7rz), which can also be found in books on complex analysis, such as 10, flï|), 



E 



7r 2 (z-n) 2 sin 2 (7rz)' 
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it follows that 



E 



• 2 Ttdq 

sin — - 1 



n 2 (c-^) 2 r 



so that 



E 



sin 2 ^ 1 



7r 2( c _^)2 r 



E 



sin 



2 Txdci 



7r 2 (c-^) 2 r 



For z e K\Z, 



F — ^ = V — 

( n _ ^2 r«. - 

2 + U + 

oo 

E 



in — z) 2 ^ in — z) 2 

-Z>U+1 >i>2 + u+l 



1 



n— \z-\-u-\-l\ 

/■OO 



(n - z) 2 



< 



1 



hui (e - z ) ; 
i 



e-* 
i 



< 



\z + u] — Z 

1 



where for real y, \y~\ is the least integer greater than or equal to y. Similarly, for z e 



V 1 i 

t£ (n- z) 2 ' \z + u + 1] - z 



-z>u+l 



> 



u + 2 



It follows that 



u + 2 



< 



E 

-z>u+l 



1 1 



{n — z) 2 u' 
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Similarly, 



1 1 1 

< > -, 7TT < 



u + 2 ^-í (n — z) 2 u ' 



so that 



2^12 

u + 2 (n — z) 2 u' 

|n-*i>»+l 



and so 



E 

ces 



sin 2 ^ i sin 2 ZL2 

T X 7" 



7r 2 (c-^) 2 r r ^ 7r 2 (c-^) 2 r 



satisfies 



! 2sin 2 ^2 sin 2 ^2 i 2 sin 2 ^ 



7r 2( c _^)2 r r 7r 2 r(u + 2)' 



since -j? ^ Z, and so 

r 7r 2 r?i < ^ 7r2( c _ £Í2)2 r < r ' 

This accounts for the first term in the sums in the upper and lower bounds in (p6|). 
Since \2u+l\ < #{c S Z : |c - ^| < u + 1} < [2^ + 2], then 

r(2u + l) r r(2u + 3) 

^2 — Z-j g2 ^2 

|e-4?|<u+l 

This accounts for the third term in the sums in the upper and lower bounds in (|2 
All that remains is the second term in the sums. Since 



E 



0<c-4a<« 1 +l 
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< 



< 



dq 

— 


i 


dq 
r 


dq 
r 

i 


dq 
r 


dq 

r 

i 


dq 
r 


dq 
r 

i 


dq 

r 


dq 

r 

i 


dq 

r 


dq 
r 



E - 



cel 
i«:-4a< u +i 



c — 



L«+4?J+i ! 



r 



In 



ln 



u + 


dq 




r 






dq 


dq 




r 


r 



u + 1 



and similarly, 



< 



< 



E 



— c 



o>^-4?>-("+ 1 ) 

+ ln 



1 






dq 


r 




r 




i 




dq 

r 







ln 



dq 

r 


dq 

r 


- U 


+ i 


dq 

r 


dq 

r 






i 


) 




dq 

r 









thcn 



< 



< 



E 



£|<u+i 



1 


dq 




dq 


r 




r 




i 




dq 
r 




dq 

r 



+ 



1 




_ Úl\ 
r 1 




1 




dq 
r 


dq 

r 


i 




dq 

r 


dq 

r 



ln 



+ ln 





+ i- ^ 




dq 




r 



+ ln 



dq 




+ i 


È. 


i 1 d? 




r 


L r _ 





dq dq 



ln 



u + 


i 


dq 


dq 


r 


r 



Since I < ^- L^J < r_i ( and equivalently, l < < ï=L, noting that for y e K\Z, fol - [y\ = 1), 
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thcn 



1 r 

<r + 



r r 



dq 



r — 1 r — 1 



Similar ly, 





dq 


)( 


dq 


- d v) 




r 




r 





> 



1 r - 1 r - 1 



so that 



ln 



[(*- 




)( 




"*)] 




r 




r 





> ln 



r- 1 



and so 



E 



< 



r 2 , r 2 (u + l) 2 
ln 



221 r — 1 



r- 1 



|o_^|<„+l 



Gathcring all the information about individual terms, it follows that if 
irdq 



u < 



sin ■ 



-1, 



thcn 



1 2 



r ir 2 ru irq \r — 1 



2 / r 2 r 2 (u + l) 2 \ r(2u + l) 
ln 

r - 1 



< P 



< 



1 



< u+ 1 



1 w — 



1 2 / r 



ln- 



(u + l) 2 \ r(2u + 



r - 1 



as a consequence of fl26|), (p7|), (È8|) and (|29|), thus yiclding (|l 
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C Proof of Inequalities in the Analysis of the Refinement 



If ^ G Z, then by (O) and the fact that q > 2wn 3 , 



1 1 



r 11)11° 



< 
< 



< 
< 
< 



1 1 



r wn 3 Aw 2 n 6 
1 2 r 

r q q 2 

dq 



< P [p q [X, — < wn 



1 2 (2wn+l)r 

- + - + - r^" 

r q q z 

1 1 (2wn + l)r 



1 1 



1 



2wn 4 ' 



the final statement following from the fact that r < n, so that r < n — 1, and so 



(2u>n + l)r < (2wn + í)(n - 1) = 2wn 2 - 2wn + n - 1 = 2wn 2 - (2w - l)n - 1. 



This demonstrates (|Ï6|). 

If ^ ^ Z, then, by © and the fact that q > 2wn 3 , 



< 



< 



< 



< 



< 



r TT 2 (wn—l) nuïn 3 
1 2 1 



1 ( , , u> 2 n 4 

n + 1 + ln 

n — 1 



r ir 2 r(wn — 1) irwn 3 \r — 1 
12 2 



ln- 



r - 1 



r ir 2 r(wn — 1) 7rq \r — 1 



ln- 



r 2 w 2 n 2 \ r(2wn — 1) 



r - 1 



< P 



^ 7r 2 w 2 n 2 r 2 



6q 2 



1 



j 7r 2 u> 2 n 2 r 2 ^ 2 



24tu 2 n 8 / 
1 íl 



r irq \ r — 1 



1 1 



ln- 



r w n \ r(2wn + 1) 



r ttwïi V r — 1 



ln 



r — 1 y ç 
r 2 í« 2 n 2 \ r(2wn + 1) 



r - 1 



fi _ 7r 2 r 2 'i 2 \ r TTwn 3 V r — 1 

I 1 



ln- 



r 2 u; 2 n 2 \ r(2iün + l) 
r — 1 ) Aw 2 n e 



r nwn J 



n + 1 + ln ■ 



1 / 2wn 4 
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The first inequality above follows from 



• the fact that 



(n+l)(r-l) 



(n + l)(r - 1) - (r + l)(r - 1) - 1 = (n - r)(r - 1) - 1 > 0, 



since n — r > 1 and r > 1 (which is required by the fact that ^ Z) , 
• the fact that 

n 2 (r - 1) - r 2 (n - 1) = (n - r)(nr - n- r) = (n - r)[(n - l)(r - 1) - 1] > 1(2 - 1) = 1, 
since r > 2 and n > r + 1 > 3, and so 

2 2 

n r 
n — 1 r — 1 

This demonstrates (p7[). 



Lemma D.l 

For each j € J, define the random variable Bij with sample space {0, 1,2,..., aj} by setting 



Specifically, is the power to which pj is raised in the prime factorization of Ri. Then: 
• The probability distribution for Bij is given by 



• Bij for i = 1, 2, 3, . . ., and j € </, are independent random variables. 



Proof: Since B^ = b iff b is the power to which pj is raised in the prime factorization of Ri, then 



D Proof of Theorem EO) 




38 



and so since Ri = s/ gcd(Zi, s), it follows that 



P(B ij =b) = P(p a / b |gcd(Z íjS )A^ b+1 tgcd(Z l;S )) 

p( J ^- h \z l h^- h+x \z^) 1 ò>0, 

P(p a /\Z t ), 6 = 0. 

The number of elements of {0,1,2,. ..,s — 1} which are divisible by p^ 1 b is s/p^ 3 b for all 6 
0, 1, 2, . . . , a,j, so that, since Zi is uniformly distributed, 



P(p7~ U \Z t ) 



dj-b ™j 



and so 



b b~l 



P(B l3 = b) 



Pi 

i, 6 = 0. 



,b>0, 



This proves the required formula for P(Bij — 6). 

For the independence of B^j, one can invoke the Chinese Remainder Theorem (as Knill did in for 
example). Alternatively, one can also take the following approach. For ji,···,ji G J, and for b m = 
0, 1, . . . , a,j m for m = 1, . . . , l, then 

P{Bij 1 — bi,Bij 2 — b 2l ■ ■ ■ , B i j l = 6;) 
= P{p b ^ \Ri A p b ^ +1 \ Ri, for all m = 1, ... , l) 

= P{p a C Òm I gcd(Zi, s) A p;:r _bm+1 1 gcd(Z,, s), for all m = 1, . . . , l). 

For any divisor t of s, then the number of elements of {0, 1, . . . , s — 1} which are divisible by t is | , so 
that, for all i, 

P(t\Zi) = \. 

It follows that for ò m = 0, 1, . . . , cu , m = 1, . . . , Z, then 



ÍK" 6 A II -rV II /'wv 

Z=l / m=l Pj m m=l 



" 6m |^). (32) 
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For m — 1, . . . , l, dcfinc f m : {—1, 0, 1, ... , <2y m } — > R by 
l 0, ò=-l, 

thcn 

p(^Í m " b |gcd(Z i)S )) =/ w (6), 
for ò = — 1, 0, 1, . . . , dj m , and so, with the aid of J3^), 

p ( II P a 3 :r bm \^{z % . rS )\ = {i f m (b m ), 

\m— 1 / m— 1 

for ò m = — 1, 0, 1, . . . , a,j m , m = 1, . . . , l. It follows that 

= bi,Bij 2 = b 2 , ■ ■ ■ , Bij l = b[) 
= PtfC^ I gcd(Zi, s) A p°l m ~ bm+1 f gcd(Z i7 s), for all m = 1, . . . , l) 



= J\ (frn(b m ) - fm(b m ~ 1)) 
m— 1 

; 

= H P(B ijm = fem), 



m=l 

for ò m — 0, 1, . . . , üj m , m = 1, . . . ,1. For example, one can use a proof by induction on q to demonstrate 
that for b m = 0,1, ... , a,j m , m = 1, . . . , q, and for b rn = — 1, 0, 1, . . . , Oj m , m = q + 1, . . . , l, 

P (F m (b m , Zi) for m = 1, . . . , q, and G m (b rn , Z t ) for m = <? + 1, . . . , l) 

q l 

= Y[P{F m (b m ,Zi)) [] P(G m (b m ,Zi)) 

ni—1 m—q-\-l 

q l 

= II ífrn{b m ) - frn(b m ~ 1)) JJ fm{b m ), 
m—1 m—q-\-l 

where G m (b, Zi) denotes the proposition denoting that V°j™~ h divides gcd(Zj, s), and F m (b, Zi) denotes 

the proposition G m (b, Zi) A -iG m (b— 1, Zi), so that F m (b, Zi) is equivalent to the proposition that p 1 ^™ 

divides gcà(Zi, s) and p° 3m b+1 does not divide gcd(Zi, s). It follows that B^ , £?y 2 , . . . , -By, are indepen- 
dent random variables. Since the set {jx, j<i, ■ ■ ■ ,ji} was arbitrary, and since Z{ are independent random 
variables, it follows that B^ for i = 1, 2, . . ., and for j € J, are independent random variables. □ 
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The proof of Theorem 8.1 can now be given 



Proof: Let By be random variables as in the proof of the Lemma, and define random variables C k j by 
C/y = max(S lj -, . . . ,B k j), 



then 



j 

je.J 



Since the sample space for Bij is {0, 1, . . . , ou} for all then the sample space for C k j is also {0, 1, . . . , a,j} 
for all k,j. From the result in the Lemma that 



a i a — 1 
Pi -Pi , 1 



P(B ij =a j ) = ^ = 1 

P/ P] 



for all then 



P{Bij < a 3 ) = 

Pj 



for all and so 



P(C kj < aj ) = P{B t] < aj for i = 1, . . . , k) = J| P(B i:j < a 



3l~ k ' 
p) 



as a consequence of the independence of Bij , B^j , ■ ■ ■ , Bfy (which follows from the independence of Zi 
for i = 1, . . . , k) . It follows that 



P(C kj = aj ) = l-±:, 



and so 



P{S k = s) = P{C k3 = aj for all j € J) = JJ P(Cjy = oj) = JJ ( 1 - ] 
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as a consequence of the independence of Ckj for j G J (which follows from the indepcndcnce of Bij for 
i = 1, 2, . . . , k and j € J). Therefore 

1 \ 1 



j£J V y 3 ) v prime v ^ 7 



for fc > 2. □ 



E Proof of (03) 



A similar method to the proof of Theorem 3.1 can be used. Let r have prime factorization 



where J is some index set, pj are distinct primes, and aj > 1 for all j G J. For each prime p, define the 
random variable E kp , with sample space {0, 1,2,.. .}, by setting 

s fc = n 

p prime 

Specifically, E kp is the power to which p is raised in the prime factorization of B k . By similar arguments 
to the ideal case, treated in §|| and Appendix [j^, then: 

• For a finite set Jo of primes, and for non-negative integers b p for p G Jo, 

P (Ek P = b p for all p G Jo) = O ( — 

\wn 

if b p > for some p not dividing r, or b p . > üj for some j G J such that p-,- G Jo; 

• For a finite set Jo of primes, and for non-negative integers b p for p G Jo, 



P(£ fep = ò p forallpG J ) = T] 3 °i " ïï — + ) 

Pj£jQ, fa Pj - >0 Pj-GJq, b Pj - =0 

if ò p = for all p not dividing r, and b Pj < üj for all j G J such that jx, G Jo . 
It follows that for any subset Jo Ç J, 

P ÍE kp . < aj for all j G J , and E kp = for all p \ r) = TT — (l + O (— 

Pi \ \wn 
3£J 3 
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For all k and primes p, define the random variable Fkp by 

F kp — max(£i p , . . . , Ek p ), 
so that 

c k = n p Fkp - 

p prime 

It follows that for a finite set Jo of primes, and for non-negative integers b p for p G Jo, 



P (F kp = b p for all p G J ) = O 




if b p > for some p not dividing r, or 6 Pi > a,j for some j G J such that p^ G J . 

Since Afc are independent random variables, then E>k are independent random variables, so that for any 
subset Jo Ç J, 

P (Fk Pj < dj for all j G J , and Pfc p = for all p \ r) 

= P (For alH = 1, . . . , k, E ipj < cij for all j G J , and P íp = for all p\r) 
fe 

= LI ^ (Eipj < a j f° r au i € Jo, and P íp = for all p { r) 

i=l 

Therefore, similarly to the idealized case, 
P(C k = r) 

= P (Pfe P) = aj for all j G J, and Pfc p = for all p \ r) 

= (-l) #(Jo) P (Pfe Pj < a 3 for all j G Jo, and P fep = for all p \ r) 

JaCJ 
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For k bounded and greater than or equal to 2, since 




and since r < n, then for k>2 and k small, 



P(C k = r) 





Pj) 



) 



since w — n £ , thus demonstrating (|Ï8|). 
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